[Emerging-Sigs] Daily Ruleset Update Summary 2020/06/17

Jason Taylor jastaylor at emergingthreats.net
Wed Jun 17 14:13:20 HDT 2020


[***]            Summary:            [***]

2 new OPEN, 32 new PRO (2 + 30). MortiAgent, IcedID, Various phishing.

Many rules in the Suricata 5 ruleset have been updated with Suricata 5
rule syntax/keywords. A complete list of rules that were  changed can
be found via the changelog here:
https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.etpro.2020-06-17T22:42:01.txt

Thanks: Pedro.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++]          Added rules:          [+++]

Open:

2030347 - ET TROJAN Cobalt Strike Malleable C2 (Safebrowse Profile)
GET (trojan.rules)
2030348 - ET EXPLOIT AnyDesk UDP Discovery Format String
(CVE-2020-13160) (exploit.rules)

Pro:

2843067 - ETPRO TROJAN MortiAgent CnC Activity (trojan.rules)
2843068 - ETPRO TROJAN Win32/Ymacco.AA17 Retrieving Payload (trojan.rules)
2843069 - ETPRO TROJAN Observed DNS Query to Unk.Loader Domain M1 (trojan.rules)
2843070 - ETPRO TROJAN Observed DNS Query to Unk.Loader Domain M2 (trojan.rules)
2843071 - ETPRO TROJAN Observed DNS Query to Unk.Loader Domain M3 (trojan.rules)
2843072 - ETPRO TROJAN Observed DNS Query to Unk.Loader Domain M4 (trojan.rules)
2843073 - ETPRO TROJAN Observed DNS Query to Unk.Loader Domain M5 (trojan.rules)
2843074 - ETPRO TROJAN Observed DNS Query to Unk.Loader Domain M6 (trojan.rules)
2843075 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-06-17 1) (trojan.rules)
2843076 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-06-17 2) (trojan.rules)
2843077 - ETPRO CURRENT_EVENTS Successful Generic Credit Card
Information Phish 2020-06-17 (current_events.rules)
2843078 - ETPRO CURRENT_EVENTS Successful Linkedin Phish 2020-06-17
(current_events.rules)
2843079 - ETPRO CURRENT_EVENTS Successful Facebook Phish 2020-06-17
(current_events.rules)
2843080 - ETPRO CURRENT_EVENTS Successful Interbank Phish 2020-06-17
(current_events.rules)
2843081 - ETPRO CURRENT_EVENTS Successful Bank Austria Phish
2020-06-17 (current_events.rules)
2843082 - ETPRO CURRENT_EVENTS Successful Citibank Phish 2020-06-17
(current_events.rules)
2843083 - ETPRO CURRENT_EVENTS Successful Citibank Phish 2020-06-17
(current_events.rules)
2843084 - ETPRO CURRENT_EVENTS Successful Citibank Phish 2020-06-17
(current_events.rules)
2843085 - ETPRO POLICY Inbound PowerShell - Decimal Byte Array M1 (policy.rules)
2843086 - ETPRO POLICY Inbound PowerShell - Decimal Byte Array M2 (policy.rules)
2843087 - ETPRO TROJAN PowerShell Loader Dropping Obfuscated PE (trojan.rules)
2843088 - ETPRO TROJAN Observed Malicious SSL Cert (PowerShell Loader
CnC) (trojan.rules)
2843089 - ETPRO TROJAN PowerShell/Test3 CnC Checkin (trojan.rules)
2843090 - ETPRO TROJAN FRat Powershell Loader CnC Activity M4 (trojan.rules)
2843091 - ETPRO TROJAN Win32/Agent.UEL CnC Activity (trojan.rules)
2843092 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2843093 - ETPRO TROJAN Observed IcedID CnC Domain in TLS SNI (trojan.rules)
2843094 - ETPRO TROJAN Observed Malicious SSL Cert (AZORult CnC) (trojan.rules)
2843095 - ETPRO CURRENT_EVENTS Successful Oberbank Phish 2020-06-17
(current_events.rules)
2843096 - ETPRO TROJAN Win32/Remcos RAT Checkin 464 (trojan.rules)

[///]     Modified active rules:     [///]

2843058 - ETPRO TROJAN FRat Powershell Loader CnC Activity M2 (trojan.rules)
2843060 - ETPRO TROJAN FRat Powershell Loader CnC Activity M3 (trojan.rules)
2843061 - ETPRO TROJAN FRat Powershell Loader CnC Activity M5 (trojan.rules)

JT


More information about the Emerging-sigs mailing list